Defcon heats up with smart thermometer ransomware

Being hit by ransomware can be devastating and expensive for those affected by the encrypting malware, but it’s not just files and folders that are being targeted by it. As the Internet of Things (IoT) expands into many new connected devices, ransomware is able to go after them too, and smart thermometers are the latest kit found to be vulnerable to such attacks.

Fortunately this is one of those cases where the researchers proved it as a concept before it was seen in the wild, which at least keeps us a little ahead of the curve. UK based security researchers, Andrew Tierney and Ken Munro, both demonstrated this potential avenue of attack at the DefCon security conference in Las Vegas this week.

Together they became the first people to apply ransomware to a smart thermometer, which essentially operates like a small Linux box (thanks NextWeb) with a temperature sensor and some networking capabilities. The one in this case is also able to accept wallpapers and config settings from an SD card, which is what Tierney and Munro used to infect it with ransomware.

When enabled, the attack blocked all access to the thermometer’s functionality, covering it in a background which read: “Ha! You Suck! Pay 1 Bitcoin to get control back.” It doesn’t take much of a stretch of the imagination to understand how that might then direct an affected user to send that Bitcoin to a specific address.

Fortunately, putting the ransomware on this IoT device did require physical access to the SD card slot, but once it was infected, it was possible to take control via remote shell and IRC.

That is only the case for this brand and model of thermometer though, there are many other IoT devices that could potentially be infected remotely and though this is a proven vector and those are more hypothetical, the potential for ransomware expansion beyond desktops and laptops is very real.